debian.ansible.mariadb.server/mariadb.yml

---
- name: mariadb
  hosts: all
  tasks:

    - name: Create /home/docker/mariadb.{{inventory_hostname}} dir
      ansible.builtin.file:
        path: /home/docker/mariadb.{{inventory_hostname}}
        owner: root
        group: docker
        state: directory
        mode: '0550'

    - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh (generate Random PW)
      blockinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh
        create: yes
        mode: 0550
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          cd /home/docker/mariadb.{{inventory_hostname}}

          mysqlpassword=$(pwgen -s 32 1)

          [ -f env.db ] || echo "MARIADB_ROOT_PASSWORD=!MYSQLPASSWORD!
          " >env.db

          [ -f env.phpmyadmin ] || echo "PMA_USER=root
          PMA_PASSWORD=!MYSQLPASSWORD!
          " >env.phpmyadmin

          chmod 440 env.db env.phpmyadmin
          chown root:docker env.db env.phpmyadmin
          sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env.db env.phpmyadmin

        backup: yes
        validate: /bin/bash -n %s

    - name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh shebang
      lineinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh
        insertbefore: BOF
        line: "#!/bin/bash -e"

    - name: Gen initial passwords if not exists
      ansible.builtin.shell: ./genpw.sh
      args:
        chdir: /home/docker/mariadb.{{inventory_hostname}}
        creates: /home/docker/mariadb.{{inventory_hostname}}/env.db

    - name: /usr/local/sbin/autoupdate.d/mariadb-ssl.update
      blockinfile:
        path: /usr/local/sbin/autoupdate.d/mariadb-ssl.update
        create: yes
        mode: 0550
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          cd /home/docker/mariadb.{{inventory_hostname}}

          # start phpmyadmin (if not) to force traefik to get a letsencrypt certificate
          docker compose up -d mariadb.{{inventory_hostname}}--phpmyadmin
          mkdir -p ssl

          # take letsencrypt-certs from traefik and check for new ones
          new=0
          for ssl in key certificate
          do
            touch ssl/${ssl}.pem
            [ -d ssl/${ssl}.pem ] && rm -r ssl/${ssl}.pem
            
            # wait if no cert is available
            until [ -s "ssl/${ssl}.pem.new" ]
            do
              cat /home/docker/traefik/letsencrypt/acme.json  | jq -r ".letsencrypt.Certificates[] | select(.domain.main==\"mariadb.{{inventory_hostname}}\") | .${ssl}" | base64 -d >ssl/${ssl}.pem.new
              sleep 5
            done
            old=$(shasum ssl/${ssl}.pem)
            new=$(shasum ssl/${ssl}.pem.new)
            if ! [ "$new" = "$old" ]
            then
              new=1
              mv ssl/${ssl}.pem.new >shasum ssl/${ssl}.pem
            else
              rm ssl/${ssl}.pem.new
            fi
          done

          # make it readable for mysql user in the container
          chmod 400 ssl/*.pem
          chown 999:0 ssl/*.pem

          # restart if new cert ist available
          if [ -n "$new" ]
          then
            # start mariadb if not initialized and down
            notinitilized=""
            [ -s "db-data/mysql_upgrade_info" ] || notinitilized=1
            if [ -n "$notinitilized" ] 
            then 
              docker compose up -d mariadb.{{inventory_hostname}}
            else
              docker compose up -d --force-recreate mariadb.{{inventory_hostname}}
            fi
          fi
          
        backup: yes
        validate: /bin/bash -n %s

    - name: /usr/local/sbin/autoupdate.d/mariadb-ssl.update shebang
      lineinfile:
        path: /usr/local/sbin/autoupdate.d/mariadb-ssl.update
        insertbefore: BOF
        line: "#!/bin/bash -e"

    - name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (use ssl in mariadb)
      blockinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf
        create: yes
        mode: 0444
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          [mariadbd]
          ssl=1
          ssl-cert=/etc/mysql/certificate.pem
          ssl-key=/etc/mysql/key.pem
        backup: yes

    - name: /home/docker/mariadb.{{inventory_hostname}}/config.user.inc.php (use ssl in phpmyadmin)
      blockinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/phpmyadmin-config.user.inc.php
        create: yes
        mode: 0444
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          // IP address / host of your instance
          $cfg['Servers'][$i]['host'] = 'mariadb.{{inventory_hostname}}';
          // Use SSL for connection
          $cfg['Servers'][$i]['ssl'] = true;
          // Disable SSL verification
          $cfg['Servers'][$i]['ssl_verify'] = false;
        backup: yes

    - name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration
      blockinfile:
        path: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml
        create: yes
        mode: 0440
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
        
          services:

            mariadb.{{inventory_hostname}}:
              image: mariadb:lts
              cap_add:
                - SYS_NICE
              restart: unless-stopped
              networks:
                - mariadb.{{inventory_hostname}}--network
              volumes:
                - ./db-data:/var/lib/mysql
                - /etc/localtime:/etc/localtime:ro
                - /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf:ro
                - ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf:ro
                - ./ssl/certificate.pem:/etc/mysql/certificate.pem:ro
                - ./ssl/key.pem:/etc/mysql/key.pem:ro
              env_file:
                - env.db
                - /home/docker/_defaults/mariadb/mariadb.env
              ports:
                - 0.0.0.0:33306:3306

            mariadb.{{inventory_hostname}}--phpmyadmin:
              image: phpmyadmin:latest
              restart: unless-stopped
              env_file: env.phpmyadmin
              environment:
                - PMA_ARBITRARY=0
                - PMA_HOST=mariadb.{{inventory_hostname}}
              volumes:
                - /etc/localtime:/etc/localtime:ro
                - ./phpmyadmin-config.user.inc.php:/etc/phpmyadmin/config.user.inc.php:ro
              networks:
                - mariadb.{{inventory_hostname}}--network
                - traefik
              labels:
                - traefik.enable=true
                # HTTPS
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.rule=Host(`mariadb.{{ ansible_facts['nodename'] }}`)
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.entrypoints=https
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls=true
                # Proxy to service-port
                - traefik.http.services.mariadb-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.service=mariadb-{{ ansible_facts['hostname'] }}
                # cert via letsencrypt
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt
                # Traefik network
                - traefik.docker.network=traefik
                # auth
                - traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file,default-basic-auth@file

          networks:
            mariadb.{{inventory_hostname}}--network:
              driver: bridge
              driver_opts:
                com.docker.network.bridge.name: br-mariadb
            traefik:
              external: true

        backup: yes        
      #notify: Restart mariadb

    - name: Get letsencrypt cert from traefik
      ansible.builtin.shell: /usr/local/sbin/autoupdate.d/mariadb-ssl.update
      args:
        chdir: /home/docker/mariadb.{{inventory_hostname}}
        creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/certificate.pem

  handlers:

    #- name: Restart mariadb
    #  ansible.builtin.shell: docker-compose up -d --force-recreate
    #  args:
    #    chdir: /home/docker/mariadb.{{inventory_hostname}}
first commit 2024-05-26 12:33:49 +02:00			`---`
			`- name: mariadb`
			`hosts: all`
			`tasks:`

			`- name: Create /home/docker/mariadb.{{inventory_hostname}} dir`
			`ansible.builtin.file:`
			`path: /home/docker/mariadb.{{inventory_hostname}}`
			`owner: root`
			`group: docker`
			`state: directory`
			`mode: '0550'`

			`- name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh (generate Random PW)`
			`blockinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh`
			`create: yes`
			`mode: 0550`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`cd /home/docker/mariadb.{{inventory_hostname}}`

			`mysqlpassword=$(pwgen -s 32 1)`

			`[ -f env.db ] \|\| echo "MARIADB_ROOT_PASSWORD=!MYSQLPASSWORD!`
			`" >env.db`

			`[ -f env.phpmyadmin ] \|\| echo "PMA_USER=root`
			`PMA_PASSWORD=!MYSQLPASSWORD!`
			`" >env.phpmyadmin`

			`chmod 440 env.db env.phpmyadmin`
			`chown root:docker env.db env.phpmyadmin`
			`sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env.db env.phpmyadmin`

			`backup: yes`
			`validate: /bin/bash -n %s`

			`- name: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh shebang`
			`lineinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/genpw.sh`
			`insertbefore: BOF`
			`line: "#!/bin/bash -e"`

			`- name: Gen initial passwords if not exists`
			`ansible.builtin.shell: ./genpw.sh`
			`args:`
			`chdir: /home/docker/mariadb.{{inventory_hostname}}`
mariadb.yml aktualisiert 2024-05-26 19:01:33 +02:00			`creates: /home/docker/mariadb.{{inventory_hostname}}/env.db`
first commit 2024-05-26 12:33:49 +02:00
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`- name: /usr/local/sbin/autoupdate.d/mariadb-ssl.update`
first commit 2024-05-26 12:33:49 +02:00			`blockinfile:`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`path: /usr/local/sbin/autoupdate.d/mariadb-ssl.update`
first commit 2024-05-26 12:33:49 +02:00			`create: yes`
			`mode: 0550`
			`owner: root`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`group: root`
first commit 2024-05-26 12:33:49 +02:00			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`cd /home/docker/mariadb.{{inventory_hostname}}`
mariadb.yml aktualisiert 2024-05-28 13:39:58 +02:00
			`# start phpmyadmin (if not) to force traefik to get a letsencrypt certificate`
mariadb.yml aktualisiert 2024-05-28 12:49:24 +02:00			`docker compose up -d mariadb.{{inventory_hostname}}--phpmyadmin`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`mkdir -p ssl`
mariadb.yml aktualisiert 2024-05-28 13:39:58 +02:00
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`# take letsencrypt-certs from traefik and check for new ones`
			`new=0`
			`for ssl in key certificate`
			`do`
			`touch ssl/${ssl}.pem`
mariadb.yml aktualisiert 2024-05-28 12:03:21 +02:00			`[ -d ssl/${ssl}.pem ] && rm -r ssl/${ssl}.pem`
mariadb.yml aktualisiert 2024-05-28 13:43:09 +02:00
			`# wait if no cert is available`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`until [ -s "ssl/${ssl}.pem.new" ]`
			`do`
mariadb.yml aktualisiert 2024-05-28 11:47:34 +02:00			`cat /home/docker/traefik/letsencrypt/acme.json \| jq -r ".letsencrypt.Certificates[] \| select(.domain.main==\"mariadb.{{inventory_hostname}}\") \| .${ssl}" \| base64 -d >ssl/${ssl}.pem.new`
mariadb.yml aktualisiert 2024-05-27 15:36:14 +02:00			`sleep 5`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`done`
			`old=$(shasum ssl/${ssl}.pem)`
			`new=$(shasum ssl/${ssl}.pem.new)`
			`if ! [ "$new" = "$old" ]`
			`then`
			`new=1`
			`mv ssl/${ssl}.pem.new >shasum ssl/${ssl}.pem`
			`else`
			`rm ssl/${ssl}.pem.new`
			`fi`
			`done`

mariadb.yml aktualisiert 2024-05-28 13:43:09 +02:00			`# make it readable for mysql user in the container`
mariadb.yml aktualisiert 2024-05-28 14:00:25 +02:00			`chmod 400 ssl/*.pem`
mariadb.yml aktualisiert 2024-05-28 13:43:09 +02:00			`chown 999:0 ssl/*.pem`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00
mariadb.yml aktualisiert 2024-05-28 13:43:09 +02:00			`# restart if new cert ist available`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`if [ -n "$new" ]`
			`then`
mariadb.yml aktualisiert 2024-05-28 13:48:34 +02:00			`# start mariadb if not initialized and down`
mariadb.yml aktualisiert 2024-05-28 14:10:06 +02:00			`notinitilized=""`
			`[ -s "db-data/mysql_upgrade_info" ] \|\| notinitilized=1`
			`if [ -n "$notinitilized" ]`
			`then`
			`docker compose up -d mariadb.{{inventory_hostname}}`
			`else`
			`docker compose up -d --force-recreate mariadb.{{inventory_hostname}}`
			`fi`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`fi`
mariadb.yml aktualisiert 2024-05-27 13:43:45 +02:00
first commit 2024-05-26 12:33:49 +02:00			`backup: yes`
			`validate: /bin/bash -n %s`

mariadb.yml aktualisiert 2024-05-27 15:34:30 +02:00			`- name: /usr/local/sbin/autoupdate.d/mariadb-ssl.update shebang`
first commit 2024-05-26 12:33:49 +02:00			`lineinfile:`
mariadb.yml aktualisiert 2024-05-27 15:34:30 +02:00			`path: /usr/local/sbin/autoupdate.d/mariadb-ssl.update`
first commit 2024-05-26 12:33:49 +02:00			`insertbefore: BOF`
			`line: "#!/bin/bash -e"`

mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`- name: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf (use ssl in mariadb)`
first commit 2024-05-26 12:33:49 +02:00			`blockinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/ssl.cnf`
			`create: yes`
mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`mode: 0444`
first commit 2024-05-26 12:33:49 +02:00			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
mariadb.yml aktualisiert 2024-05-26 22:32:59 +02:00			`[mariadbd]`
first commit 2024-05-26 12:33:49 +02:00			`ssl=1`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`ssl-cert=/etc/mysql/certificate.pem`
			`ssl-key=/etc/mysql/key.pem`
first commit 2024-05-26 12:33:49 +02:00			`backup: yes`

mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`- name: /home/docker/mariadb.{{inventory_hostname}}/config.user.inc.php (use ssl in phpmyadmin)`
			`blockinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/phpmyadmin-config.user.inc.php`
			`create: yes`
			`mode: 0444`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`// IP address / host of your instance`
			`$cfg['Servers'][$i]['host'] = 'mariadb.{{inventory_hostname}}';`
			`// Use SSL for connection`
			`$cfg['Servers'][$i]['ssl'] = true;`
			`// Disable SSL verification`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`$cfg['Servers'][$i]['ssl_verify'] = false;`
mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`backup: yes`

first commit 2024-05-26 12:33:49 +02:00			`- name: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml Container Configuration`
			`blockinfile:`
			`path: /home/docker/mariadb.{{inventory_hostname}}/docker-compose.yml`
			`create: yes`
			`mode: 0440`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`

			`services:`

			`mariadb.{{inventory_hostname}}:`
			`image: mariadb:lts`
			`cap_add:`
			`- SYS_NICE`
			`restart: unless-stopped`
			`networks:`
			`- mariadb.{{inventory_hostname}}--network`
			`volumes:`
			`- ./db-data:/var/lib/mysql`
			`- /etc/localtime:/etc/localtime:ro`
mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`- /home/docker/_defaults/mariadb/99-server.cnf:/etc/mysql/mariadb.conf.d/99-server.cnf:ro`
			`- ./ssl.cnf:/etc/mysql/mariadb.conf.d/99-ssl.cnf:ro`
mariadb.yml aktualisiert 2024-05-27 15:31:27 +02:00			`- ./ssl/certificate.pem:/etc/mysql/certificate.pem:ro`
			`- ./ssl/key.pem:/etc/mysql/key.pem:ro`
first commit 2024-05-26 12:33:49 +02:00			`env_file:`
			`- env.db`
			`- /home/docker/_defaults/mariadb/mariadb.env`
			`ports:`
			`- 0.0.0.0:33306:3306`

			`mariadb.{{inventory_hostname}}--phpmyadmin:`
			`image: phpmyadmin:latest`
			`restart: unless-stopped`
			`env_file: env.phpmyadmin`
			`environment:`
			`- PMA_ARBITRARY=0`
			`- PMA_HOST=mariadb.{{inventory_hostname}}`
			`volumes:`
			`- /etc/localtime:/etc/localtime:ro`
mariadb.yml aktualisiert 2024-05-27 11:43:57 +02:00			`- ./phpmyadmin-config.user.inc.php:/etc/phpmyadmin/config.user.inc.php:ro`
first commit 2024-05-26 12:33:49 +02:00			`networks:`
			`- mariadb.{{inventory_hostname}}--network`
			`- traefik`
			`labels:`
			`- traefik.enable=true`
			`# HTTPS`
bmariadb.yml aktualisiert 2024-05-26 17:54:07 +02:00			- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.rule=Host(`mariadb.{{ ansible_facts['nodename'] }}`)
first commit 2024-05-26 12:33:49 +02:00			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.entrypoints=https`
			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls=true`
			`# Proxy to service-port`
			`- traefik.http.services.mariadb-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80`
			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.service=mariadb-{{ ansible_facts['hostname'] }}`
			`# cert via letsencrypt`
			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt`
			`# Traefik network`
			`- traefik.docker.network=traefik`
mariadb.yml aktualisiert 2024-05-26 17:38:04 +02:00			`# auth`
bmariadb.yml aktualisiert 2024-05-26 17:57:05 +02:00			`- traefik.http.routers.mariadb-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file,default-basic-auth@file`
first commit 2024-05-26 12:33:49 +02:00
			`networks:`
			`mariadb.{{inventory_hostname}}--network:`
			`driver: bridge`
			`driver_opts:`
			`com.docker.network.bridge.name: br-mariadb`
			`traefik:`
			`external: true`

mariadb.yml aktualisiert 2024-05-28 13:50:18 +02:00			`backup: yes`
mariadb.yml aktualisiert 2024-05-28 14:04:13 +02:00			`#notify: Restart mariadb`
first commit 2024-05-26 12:33:49 +02:00
mariadb.yml aktualisiert 2024-05-27 15:34:30 +02:00			`- name: Get letsencrypt cert from traefik`
			`ansible.builtin.shell: /usr/local/sbin/autoupdate.d/mariadb-ssl.update`
			`args:`
			`chdir: /home/docker/mariadb.{{inventory_hostname}}`
			`creates: /home/docker/mariadb.{{inventory_hostname}}/ssl/certificate.pem`
first commit 2024-05-26 12:33:49 +02:00
			`handlers:`

mariadb.yml aktualisiert 2024-05-28 14:04:13 +02:00			`#- name: Restart mariadb`
			`# ansible.builtin.shell: docker-compose up -d --force-recreate`
			`# args:`
			`# chdir: /home/docker/mariadb.{{inventory_hostname}}`
first commit 2024-05-26 12:33:49 +02:00